diff options
| -rw-r--r-- | cmd/podman/root.go | 4 | ||||
| -rw-r--r-- | cmd/podman/system/reset.go | 3 | ||||
| -rw-r--r-- | docs/source/markdown/options/privileged.md | 14 | ||||
| -rw-r--r-- | docs/source/markdown/options/sysctl.md | 21 | ||||
| -rw-r--r-- | docs/source/markdown/podman-create.1.md.in | 32 | ||||
| -rw-r--r-- | docs/source/markdown/podman-exec.1.md.in | 16 | ||||
| -rw-r--r-- | docs/source/markdown/podman-pod-clone.1.md.in | 22 | ||||
| -rw-r--r-- | docs/source/markdown/podman-pod-create.1.md.in | 22 | ||||
| -rw-r--r-- | docs/source/markdown/podman-run.1.md.in | 39 | ||||
| -rw-r--r-- | docs/source/markdown/podman-system-reset.1.md | 1 | ||||
| -rw-r--r-- | libpod/events.go | 12 | ||||
| -rw-r--r-- | libpod/oci_conmon_attach_common.go | 6 | ||||
| -rw-r--r-- | libpod/oci_conmon_common.go | 12 | ||||
| -rw-r--r-- | libpod/oci_conmon_exec_common.go | 34 | ||||
| -rw-r--r-- | libpod/oci_conmon_exec_freebsd.go | 10 | ||||
| -rw-r--r-- | libpod/oci_conmon_exec_linux.go | 39 | ||||
| -rw-r--r-- | pkg/machine/wsl/machine.go | 4 | ||||
| -rw-r--r-- | test/system/001-basic.bats | 2 | ||||
| -rw-r--r-- | test/system/090-events.bats | 19 | ||||
| -rw-r--r-- | test/system/250-systemd.bats | 6 |
20 files changed, 154 insertions, 164 deletions
diff --git a/cmd/podman/root.go b/cmd/podman/root.go index f45dc94b2..0261cd670 100644 --- a/cmd/podman/root.go +++ b/cmd/podman/root.go @@ -475,8 +475,8 @@ func rootFlags(cmd *cobra.Command, opts *entities.PodmanConfig) { pFlags.StringVar(&logLevel, logLevelFlagName, logLevel, fmt.Sprintf("Log messages above specified level (%s)", strings.Join(common.LogLevels, ", "))) _ = rootCmd.RegisterFlagCompletionFunc(logLevelFlagName, common.AutocompleteLogLevel) - pFlags.BoolVar(&debug, "debug", false, "Docker compatibility, force setting of log-level") - _ = pFlags.MarkHidden("debug") + lFlags.BoolVarP(&debug, "debug", "D", false, "Docker compatibility, force setting of log-level") + _ = lFlags.MarkHidden("debug") // Only create these flags for ABI connections if !registry.IsRemote() { diff --git a/cmd/podman/system/reset.go b/cmd/podman/system/reset.go index 20f15a34f..02c4a7b46 100644 --- a/cmd/podman/system/reset.go +++ b/cmd/podman/system/reset.go @@ -62,7 +62,8 @@ func reset(cmd *cobra.Command, args []string) { - all images - all networks - all build cache - - all machines`) + - all machines + - all volumes`) if len(listCtn) > 0 { fmt.Println(`WARNING! The following external containers will be purged:`) diff --git a/docs/source/markdown/options/privileged.md b/docs/source/markdown/options/privileged.md new file mode 100644 index 000000000..8d9746d6b --- /dev/null +++ b/docs/source/markdown/options/privileged.md @@ -0,0 +1,14 @@ +#### **--privileged** + +Give extended privileges to this container. The default is **false**. + +By default, Podman containers are unprivileged (**=false**) and cannot, for +example, modify parts of the operating system. This is because by default a +container is only allowed limited access to devices. A "privileged" container +is given the same access to devices as the user launching the container. + +A privileged container turns off the security features that isolate the +container from the host. Dropped Capabilities, limited devices, read-only mount +points, Apparmor/SELinux separation, and Seccomp filters are all disabled. + +Rootless containers cannot have more privileges than the account that launched them. diff --git a/docs/source/markdown/options/sysctl.md b/docs/source/markdown/options/sysctl.md new file mode 100644 index 000000000..6fc1bbebe --- /dev/null +++ b/docs/source/markdown/options/sysctl.md @@ -0,0 +1,21 @@ +#### **--sysctl**=*name=value* + +Configure namespaced kernel parameters <<at runtime|for all containers in the pod>>. + +For the IPC namespace, the following sysctls are allowed: + +- kernel.msgmax +- kernel.msgmnb +- kernel.msgmni +- kernel.sem +- kernel.shmall +- kernel.shmmax +- kernel.shmmni +- kernel.shm_rmid_forced +- Sysctls beginning with fs.mqueue.\* + +Note: <<if you use the **--ipc=host** option|if the ipc namespace is not shared within the pod>>, the above sysctls are not allowed. + +For the network namespace, only sysctls beginning with net.\* are allowed. + +Note: <<if you use the **--network=host** option|if the network namespace is not shared within the pod>>, the above sysctls are not allowed. diff --git a/docs/source/markdown/podman-create.1.md.in b/docs/source/markdown/podman-create.1.md.in index ac45fa61d..a20aeafcd 100644 --- a/docs/source/markdown/podman-create.1.md.in +++ b/docs/source/markdown/podman-create.1.md.in @@ -354,21 +354,7 @@ To make a pod with more granular options, use the `podman pod create` command be @@option pod-id-file.container -#### **--privileged** - -Give extended privileges to this container. The default is *false*. - -By default, Podman containers are -“unprivileged” (=false) and cannot, for example, modify parts of the operating system. -This is because by default a container is not allowed to access any devices. -A “privileged” container is given access to all devices. - -When the operator executes a privileged container, Podman enables access -to all devices on the host, turns off graphdriver mount options, as well as -turning off most of the security measures protecting the host from the -container. - -Rootless containers cannot have more privileges than the account that launched them. +@@option privileged #### **--publish**, **-p**=*[[ip:][hostPort]:]containerPort[/protocol]* @@ -500,21 +486,7 @@ When size is `0`, there is no limit on the amount of memory used for IPC by the @@option subuidname -#### **--sysctl**=*SYSCTL* - -Configure namespaced kernel parameters at runtime - -IPC Namespace - current sysctls allowed: - -kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced -Sysctls beginning with fs.mqueue.* - -Note: if you use the --ipc=host option these sysctls will not be allowed. - -Network Namespace - current sysctls allowed: - Sysctls beginning with net.* - -Note: if you use the --network=host option these sysctls will not be allowed. +@@option sysctl @@option systemd diff --git a/docs/source/markdown/podman-exec.1.md.in b/docs/source/markdown/podman-exec.1.md.in index 3202159c9..0d161ef66 100644 --- a/docs/source/markdown/podman-exec.1.md.in +++ b/docs/source/markdown/podman-exec.1.md.in @@ -44,21 +44,7 @@ to run containers such as CRI-O, the last started container could be from either Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. -#### **--privileged** - -Give extended privileges to this container. The default is *false*. - -By default, Podman containers are -"unprivileged" and cannot, for example, modify parts of the operating system. -This is because by default a container is only allowed limited access to devices. -A "privileged" container is given the same access to devices as the user launching the container. - -A privileged container turns off the security features that isolate the -container from the host. Dropped Capabilities, limited devices, read/only mount -points, Apparmor/SELinux separation, and Seccomp filters are all disabled. - -Rootless containers cannot have more privileges than the account that launched them. - +@@option privileged #### **--tty**, **-t** diff --git a/docs/source/markdown/podman-pod-clone.1.md.in b/docs/source/markdown/podman-pod-clone.1.md.in index 32183d778..193f4eae2 100644 --- a/docs/source/markdown/podman-pod-clone.1.md.in +++ b/docs/source/markdown/podman-pod-clone.1.md.in @@ -114,27 +114,7 @@ clone process has completed. All containers within the pod are started. @@option subuidname -#### **--sysctl**=*name=value* - -Configure namespace kernel parameters for all containers in the new pod. - -For the IPC namespace, the following sysctls are allowed: - -- kernel.msgmax -- kernel.msgmnb -- kernel.msgmni -- kernel.sem -- kernel.shmall -- kernel.shmmax -- kernel.shmmni -- kernel.shm_rmid_forced -- Sysctls beginning with fs.mqueue.\* - -Note: if the ipc namespace is not shared within the pod, these sysctls are not allowed. - -For the network namespace, only sysctls beginning with net.\* are allowed. - -Note: if the network namespace is not shared within the pod, these sysctls are not allowed. +@@option sysctl @@option uidmap.pod diff --git a/docs/source/markdown/podman-pod-create.1.md.in b/docs/source/markdown/podman-pod-create.1.md.in index b747022eb..7dc5fd052 100644 --- a/docs/source/markdown/podman-pod-create.1.md.in +++ b/docs/source/markdown/podman-pod-create.1.md.in @@ -255,27 +255,7 @@ When size is `0`, there is no limit on the amount of memory used for IPC by the @@option subuidname -#### **--sysctl**=*name=value* - -Configure namespace kernel parameters for all containers in the pod. - -For the IPC namespace, the following sysctls are allowed: - -- kernel.msgmax -- kernel.msgmnb -- kernel.msgmni -- kernel.sem -- kernel.shmall -- kernel.shmmax -- kernel.shmmni -- kernel.shm_rmid_forced -- Sysctls beginning with fs.mqueue.\* - -Note: if the ipc namespace is not shared within the pod, these sysctls are not allowed. - -For the network namespace, only sysctls beginning with net.\* are allowed. - -Note: if the network namespace is not shared within the pod, these sysctls are not allowed. +@@option sysctl @@option uidmap.pod diff --git a/docs/source/markdown/podman-run.1.md.in b/docs/source/markdown/podman-run.1.md.in index d9b4fe5c3..2bb3098e2 100644 --- a/docs/source/markdown/podman-run.1.md.in +++ b/docs/source/markdown/podman-run.1.md.in @@ -385,20 +385,7 @@ If a container is run with a pod, and the pod has an infra-container, the infra- Pass down to the process N additional file descriptors (in addition to 0, 1, 2). The total FDs will be 3+N. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) -#### **--privileged** - -Give extended privileges to this container. The default is **false**. - -By default, Podman containers are unprivileged (**=false**) and cannot, for -example, modify parts of the operating system. This is because by default a -container is only allowed limited access to devices. A "privileged" container -is given the same access to devices as the user launching the container. - -A privileged container turns off the security features that isolate the -container from the host. Dropped Capabilities, limited devices, read-only mount -points, Apparmor/SELinux separation, and Seccomp filters are all disabled. - -Rootless containers cannot have more privileges than the account that launched them. +@@option privileged #### **--publish**, **-p**=*[[ip:][hostPort]:]containerPort[/protocol]* @@ -542,29 +529,7 @@ Sets whether the signals sent to the **podman run** command are proxied to the c @@option subuidname -#### **--sysctl**=*name=value* - -Configure namespaced kernel parameters at runtime. - -For the IPC namespace, the following sysctls are allowed: - -- kernel.msgmax -- kernel.msgmnb -- kernel.msgmni -- kernel.sem -- kernel.shmall -- kernel.shmmax -- kernel.shmmni -- kernel.shm_rmid_forced -- Sysctls beginning with fs.mqueue.\* - -Note: if you use the **--ipc=host** option, the above sysctls will not be allowed. - -For the network namespace, the following sysctls are allowed: - -- Sysctls beginning with net.\* - -Note: if you use the **--network=host** option, these sysctls will not be allowed. +@@option sysctl @@option systemd diff --git a/docs/source/markdown/podman-system-reset.1.md b/docs/source/markdown/podman-system-reset.1.md index a36e597f7..8eee416c7 100644 --- a/docs/source/markdown/podman-system-reset.1.md +++ b/docs/source/markdown/podman-system-reset.1.md @@ -37,6 +37,7 @@ WARNING! This will remove: - all networks - all build cache - all machines + - all volumes Are you sure you want to continue? [y/N] y ``` diff --git a/libpod/events.go b/libpod/events.go index c9e4c9d26..60142cb60 100644 --- a/libpod/events.go +++ b/libpod/events.go @@ -55,6 +55,12 @@ func (c *Container) newContainerExitedEvent(exitCode int32) { e.Image = c.config.RootfsImageName e.Type = events.Container e.ContainerExitCode = int(exitCode) + + e.Details = events.Details{ + ID: e.ID, + Attributes: c.Labels(), + } + if err := c.runtime.eventer.Write(e); err != nil { logrus.Errorf("Unable to write container exited event: %q", err) } @@ -70,6 +76,12 @@ func (c *Container) newExecDiedEvent(sessionID string, exitCode int) { e.ContainerExitCode = exitCode e.Attributes = make(map[string]string) e.Attributes["execID"] = sessionID + + e.Details = events.Details{ + ID: e.ID, + Attributes: c.Labels(), + } + if err := c.runtime.eventer.Write(e); err != nil { logrus.Errorf("Unable to write exec died event: %q", err) } diff --git a/libpod/oci_conmon_attach_common.go b/libpod/oci_conmon_attach_common.go index a9e9b2bb5..dec749837 100644 --- a/libpod/oci_conmon_attach_common.go +++ b/libpod/oci_conmon_attach_common.go @@ -280,20 +280,20 @@ func readStdio(conn *net.UnixConn, streams *define.AttachStreams, receiveStdoutE var err error select { case err = <-receiveStdoutError: - if err := conn.CloseWrite(); err != nil { + if err := socketCloseWrite(conn); err != nil { logrus.Errorf("Failed to close stdin: %v", err) } return err case err = <-stdinDone: if err == define.ErrDetach { - if err := conn.CloseWrite(); err != nil { + if err := socketCloseWrite(conn); err != nil { logrus.Errorf("Failed to close stdin: %v", err) } return err } if err == nil { // copy stdin is done, close it - if connErr := conn.CloseWrite(); connErr != nil { + if connErr := socketCloseWrite(conn); connErr != nil { logrus.Errorf("Unable to close conn: %v", connErr) } } diff --git a/libpod/oci_conmon_common.go b/libpod/oci_conmon_common.go index cc65e1261..87f0aa4ad 100644 --- a/libpod/oci_conmon_common.go +++ b/libpod/oci_conmon_common.go @@ -477,6 +477,16 @@ func (r *ConmonOCIRuntime) UnpauseContainer(ctr *Container) error { return utils.ExecCmdWithStdStreams(os.Stdin, os.Stdout, os.Stderr, env, r.path, append(r.runtimeFlags, "resume", ctr.ID())...) } +// This filters out ENOTCONN errors which can happen on FreeBSD if the +// other side of the connection is already closed. +func socketCloseWrite(conn *net.UnixConn) error { + err := conn.CloseWrite() + if err != nil && errors.Is(err, syscall.ENOTCONN) { + return nil + } + return err +} + // HTTPAttach performs an attach for the HTTP API. // The caller must handle closing the HTTP connection after this returns. // The cancel channel is not closed; it is up to the caller to do so after @@ -689,7 +699,7 @@ func (r *ConmonOCIRuntime) HTTPAttach(ctr *Container, req *http.Request, w http. return err } // copy stdin is done, close it - if connErr := conn.CloseWrite(); connErr != nil { + if connErr := socketCloseWrite(conn); connErr != nil { logrus.Errorf("Unable to close conn: %v", connErr) } case <-cancel: diff --git a/libpod/oci_conmon_exec_common.go b/libpod/oci_conmon_exec_common.go index 16cd7ef9f..735dbb9c4 100644 --- a/libpod/oci_conmon_exec_common.go +++ b/libpod/oci_conmon_exec_common.go @@ -12,7 +12,6 @@ import ( "syscall" "time" - "github.com/containers/common/pkg/capabilities" "github.com/containers/common/pkg/config" "github.com/containers/common/pkg/resize" cutil "github.com/containers/common/pkg/util" @@ -386,7 +385,7 @@ func (r *ConmonOCIRuntime) startExec(c *Container, sessionID string, options *Ex finalEnv = append(finalEnv, fmt.Sprintf("%s=%s", k, v)) } - processFile, err := prepareProcessExec(c, options, finalEnv, sessionID) + processFile, err := c.prepareProcessExec(options, finalEnv, sessionID) if err != nil { return nil, nil, err } @@ -654,7 +653,7 @@ func attachExecHTTP(c *Container, sessionID string, r *http.Request, w http.Resp return err } // copy stdin is done, close it - if connErr := conn.CloseWrite(); connErr != nil { + if connErr := socketCloseWrite(conn); connErr != nil { logrus.Errorf("Unable to close conn: %v", connErr) } case <-cancel: @@ -665,7 +664,7 @@ func attachExecHTTP(c *Container, sessionID string, r *http.Request, w http.Resp // prepareProcessExec returns the path of the process.json used in runc exec -p // caller is responsible to close the returned *os.File if needed. -func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessionID string) (*os.File, error) { +func (c *Container) prepareProcessExec(options *ExecOptions, env []string, sessionID string) (*os.File, error) { f, err := ioutil.TempFile(c.execBundlePath(sessionID), "exec-process-") if err != nil { return nil, err @@ -745,34 +744,9 @@ func prepareProcessExec(c *Container, options *ExecOptions, env []string, sessio pspec.User = processUser } - ctrSpec, err := c.specFromState() - if err != nil { - return nil, err - } - - allCaps, err := capabilities.BoundingSet() - if err != nil { + if err := c.setProcessCapabilitiesExec(options, user, execUser, pspec); err != nil { return nil, err } - if options.Privileged { - pspec.Capabilities.Bounding = allCaps - } else { - pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding - } - - // Always unset the inheritable capabilities similarly to what the Linux kernel does - // They are used only when using capabilities with uid != 0. - pspec.Capabilities.Inheritable = []string{} - - if execUser.Uid == 0 { - pspec.Capabilities.Effective = pspec.Capabilities.Bounding - pspec.Capabilities.Permitted = pspec.Capabilities.Bounding - } else if user == c.config.User { - pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective - pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective - } hasHomeSet := false for _, s := range pspec.Env { diff --git a/libpod/oci_conmon_exec_freebsd.go b/libpod/oci_conmon_exec_freebsd.go new file mode 100644 index 000000000..bf30404a1 --- /dev/null +++ b/libpod/oci_conmon_exec_freebsd.go @@ -0,0 +1,10 @@ +package libpod + +import ( + "github.com/opencontainers/runc/libcontainer/user" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +func (c *Container) setProcessCapabilitiesExec(options *ExecOptions, user string, execUser *user.ExecUser, pspec *spec.Process) error { + return nil +} diff --git a/libpod/oci_conmon_exec_linux.go b/libpod/oci_conmon_exec_linux.go new file mode 100644 index 000000000..617e8d601 --- /dev/null +++ b/libpod/oci_conmon_exec_linux.go @@ -0,0 +1,39 @@ +package libpod + +import ( + "github.com/containers/common/pkg/capabilities" + "github.com/opencontainers/runc/libcontainer/user" + spec "github.com/opencontainers/runtime-spec/specs-go" +) + +func (c *Container) setProcessCapabilitiesExec(options *ExecOptions, user string, execUser *user.ExecUser, pspec *spec.Process) error { + ctrSpec, err := c.specFromState() + if err != nil { + return err + } + + allCaps, err := capabilities.BoundingSet() + if err != nil { + return err + } + if options.Privileged { + pspec.Capabilities.Bounding = allCaps + } else { + pspec.Capabilities.Bounding = ctrSpec.Process.Capabilities.Bounding + } + + // Always unset the inheritable capabilities similarly to what the Linux kernel does + // They are used only when using capabilities with uid != 0. + pspec.Capabilities.Inheritable = []string{} + + if execUser.Uid == 0 { + pspec.Capabilities.Effective = pspec.Capabilities.Bounding + pspec.Capabilities.Permitted = pspec.Capabilities.Bounding + } else if user == c.config.User { + pspec.Capabilities.Effective = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Inheritable = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Permitted = ctrSpec.Process.Capabilities.Effective + pspec.Capabilities.Ambient = ctrSpec.Process.Capabilities.Effective + } + return nil +} diff --git a/pkg/machine/wsl/machine.go b/pkg/machine/wsl/machine.go index 81f1d187f..8b6d74817 100644 --- a/pkg/machine/wsl/machine.go +++ b/pkg/machine/wsl/machine.go @@ -1061,7 +1061,7 @@ func launchWinProxy(v *MachineVM) (bool, string, error) { return globalName, "", err } - return globalName, pipePrefix + waitPipe, waitPipeExists(waitPipe, 30, func() error { + return globalName, pipePrefix + waitPipe, waitPipeExists(waitPipe, 80, func() error { active, exitCode := machine.GetProcessState(cmd.Process.Pid) if !active { return fmt.Errorf("win-sshproxy.exe failed to start, exit code: %d (see windows event logs)", exitCode) @@ -1099,7 +1099,7 @@ func waitPipeExists(pipeName string, retries int, checkFailure func() error) err if fail := checkFailure(); fail != nil { return fail } - time.Sleep(100 * time.Millisecond) + time.Sleep(250 * time.Millisecond) } return err diff --git a/test/system/001-basic.bats b/test/system/001-basic.bats index 584511388..1148aaae7 100644 --- a/test/system/001-basic.bats +++ b/test/system/001-basic.bats @@ -190,7 +190,9 @@ See 'podman version --help'" "podman version --remote" run_podman --log-level=error info run_podman --log-level=fatal info run_podman --log-level=panic info + # docker compat run_podman --debug info + run_podman -D info run_podman 1 --debug --log-level=panic info is "$output" "Setting --log-level and --debug is not allowed" } diff --git a/test/system/090-events.bats b/test/system/090-events.bats index cee0e23b0..cd1bf327b 100644 --- a/test/system/090-events.bats +++ b/test/system/090-events.bats @@ -194,3 +194,22 @@ EOF is "$(wc -l <$eventsFile)" "$(wc -l <<<$output)" "all events are returned" is "${lines[-2]}" ".* log-rotation $eventsFile" } + +# Prior to #15633, container labels would not appear in 'die' log events +@test "events - labels included in container die" { + skip_if_remote "remote does not support --events-backend" + local cname=c$(random_string 15) + local lname=l$(random_string 10) + local lvalue="v$(random_string 10) $(random_string 5)" + + run_podman 17 --events-backend=file run --rm \ + --name=$cname \ + --label=$lname="$lvalue" \ + $IMAGE sh -c 'exit 17' + run_podman --events-backend=file events \ + --filter=container=$cname \ + --filter=status=died \ + --stream=false \ + --format="{{.Attributes.$lname}}" + assert "$output" = "$lvalue" "podman-events output includes container label" +} diff --git a/test/system/250-systemd.bats b/test/system/250-systemd.bats index dd1a0f05a..b449e49d8 100644 --- a/test/system/250-systemd.bats +++ b/test/system/250-systemd.bats @@ -33,7 +33,11 @@ function teardown() { # Helper to start a systemd service running a container function service_setup() { - run_podman generate systemd --new $cname + run_podman generate systemd \ + -e http_proxy -e HTTP_PROXY \ + -e https_proxy -e HTTPS_PROXY \ + -e no_proxy -e NO_PROXY \ + --new $cname echo "$output" > "$UNIT_FILE" run_podman rm $cname |